AB 375 reads like a relative godsend for tech companies. Many voters may not like it, but what they were asking for originally was simply untenable.

This bill passed unanimously (and in a hurry) for a reason: if it hadn’t, the issue would have been deferred to a ballot initiative (CCPA) in November. Given that the latter represented something of a wrecking ball to California’s most important industry, this less extreme version is a fair and welcome compromise.

It allows Californians to ask the three Ws in relation to their data: “whatdo you collect/store?”, “why?”, and “withwhomdo you share it?”

It allows Californians to opt out the of sale of their data.

It allows Californians to request deletion of their data.

That something like this would pass eventually was viewed by insiders as afait accompli.The fallout from the many Facebook disclosures was too widespread, and the advent of measures like the EU’s GDPR gave too compelling a blueprint.

Trouble is, CCPA was a draconian interpretation of GDPR by American standards (possibly by design to leverage the passage of something like AB 375).

The right for Californians to still receive services at the same price and quality after clicking said button.

Restrictions on how personal data could be used for ads (e.g., customer data could no longer be assembled into “profiles”).

But the real issue wasn’t just that the CCPA was viewed as too restrictive. It was that it contained a rider that made it very, very difficult to modify or overturn. If passed, it could only be undone by two-thirds of the popular vote (or else modified by a 70% vote from both state houses).

For obvious (and not totally unfair) reasons, tech companies weren’t going to go gently. Word spread of a war chest of no less than $100m for anti-CCPA ads. The negative effect to their business models would be worth a multiple of that.

But then a better alternative presented itself. The authors of CCPA agreed to pull their initiative off the table if the legislature would pass their own alternative beforehand. Given the upside of at least having a chance to shape said legislation, the tech industry saddled up in begrudging support.

As AB 375 won’t come into effect until January 2020, we can expect the following aspects to yet be softened:

The list of what qualifies as personal data to be made narrower / more concrete.

Direct suit options to be limited in lieu of funneling complaints through bodies like the California AG office.

(Some industry-requested changes were already reflected in AB 375, such as the downgraded placement of the “Don’t Sell My Data” button and the diminished listing requirements for third-party data acquirers.)

Is This Good or Bad?

While I think consumers are right to be both angry and concerned at how Facebook was brokering data (if less at the principle and more at how sloppy the oversight and controls were), harsh restrictions are often a lose-lose.

Consider the nature of services like Hulu and Spotify. They offer a lower tier of service that’s either discounted or free by virtue of offsetting ad revenues. This is harmless to consumers while supplying them a tangible benefit. They get to choose the amount of ads they see relative to how much they want to pay.

But what happens when you restrict Spotify’s ability to serve ads in an efficient way (which is dependent upon the organization of lots and lots of personal data)? Advertisers will pay less per impression. That in turn means one (or both) of two things going up: the cost of subscriptions, and/or the frequency of ads.

Who really wants that?

And what about Quora and Reddit, where ads are the primary revenue stream supporting a high-value free service? If said companies need to create secure data profiles for the sake of staying in business, at what point is our over-concern about that data getting misused or stolen only hurting ourselves as users?

Don’t get me wrong. Consumers should have more control over their data, especially in relation to companies with a history of using it irresponsibly. Tech giants should feel a near-holy obligation to secure that data to the best of their abilities. And where they fail, they should be held to meaningful account.

Viewed in perspective, though, it’s hard to argue against the idea of letting the affected companies havesomeinput into the final legislation. It’ll allow fire to touch the right feet while also ensuring that we don’t go so far in our zeal as to undermine the most valuable engine of growth in the modern world.

Note:Somewhat confusingly, AB 375 will go into law under the same initialism as the ballot initiative (CCPA). For clarity’s sake, I’ve use the initialism here exclusively in reference to the initiative.

This questionoriginally appeared on Quora - the place to gain and share knowledge, empowering people to learn from others and better understand the world. You can follow Quora on Twitter, Facebook, and Google+. More questions: